$OPTIMIZE ON $TYPECHECK ON $INCLUDE $INCLUDE $APPTYPE CGI $ESCAPECHARS ON DECLARE SUB Main DECLARE SUB PrintMenu(errorType AS INTEGER, name$ AS STRING) DECLARE SUB PrintFile(name$ AS STRING) CREATE CGI AS QCGI AutoConvert = 1 'true END CREATE SUB Main DEFSTR name$ 'This tries to prevents a malicious user from getting to files outside the directory the program is in... 'Get value name$ = CGI.Get("name", name$) 'Remove other slashes name$ = REPLACESUBSTR$(name$, "%5C", "") 'Don't forget lowercase... name$ = REPLACESUBSTR$(name$, "%5c", "") 'Remove real slashes name$ = REPLACESUBSTR$(name$, "\\", "") 'Remove .. name$ = REPLACESUBSTR$(name$, "..", "") 'Remove forward slashes (in hex) name$ = REPLACESUBSTR$(name$, "%2F", "") 'Don't forget lowercase... name$ = REPLACESUBSTR$(name$, "%2f", "") 'Remove forward slashes name$ = REPLACESUBSTR$(name$, "/", "") IF (LEN(name$) = 0) THEN PrintMenu(0, name$) ELSE PrintFile(name$) END IF END SUB Main() SUB PrintMenu(errorType AS INTEGER, name$ AS STRING) PRINT "Content-type: text/html\n\n" PRINT "" PRINT "" PRINT "CGI Test - Enter a filename" PRINT "" PRINT "" IF (errorType = 1 OR errorType = 2) THEN DEFSTR text$ = name$ + " could not be " SELECT CASE errorType CASE 1: text$ = text$ + "found" CASE 2: text$ = text$ + "opened" DEFAULT: text$ = text$ + "selected" END SELECT text$ = text$ + "!" PRINT "

" + text$ + "

" END IF PRINT "

Please enter a filename:" PRINT "

" PRINT "" PRINT "
" PRINT "

" PRINT "" PRINT "" END END SUB SUB PrintFile(name$ AS STRING) DIM File AS QFILESTREAM IF name$ = Application.ExeName THEN PrintMenu(1, name$) 'File not found error END IF 'another security procedure is to start eveything from a working directory DEFSTR filename$ = CURDIR$ + "\\" + name$ IF FILEEXISTS(filename$) THEN IF File.Open(filename$, fmOpenRead) THEN PRINT "Content-type: text/plain\n\n" WHILE NOT(File.EOF) PRINT File.ReadLine WEND ELSE PrintMenu(2, name$) END IF ELSE PrintMenu(1, name$) END IF END SUB